Microsoft Security Bulletin MS16-035 - Important

In this article

Executive Summary

This security update resolves a vulnerability in the Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document.

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

[3]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The updates are available via the Microsoft Update Catalog.

Note Windows Server Technical Preview 4 is affected. Customers running this operating system are encouraged to apply the update, which is available via Windows Update.

Update FAQs

Why was this bulletin re-released on May 10, 2016?
To address certain printing issues customers may have experienced after installing the security updates for Microsoft .NET Framework 4.5.2 or Microsoft .NET Framework 4.6/4.6.1, the updates for these versions of Microsoft .NET Framework have been re-released as follows:

**How do I determine which version of the Microsoft .NET Framework is installed?**
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see [Microsoft Knowledge Base Article 318785](https://support.microsoft.com/kb/318785).
**There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?**
Yes. Customers should apply all updates offered for the software installed on their systems.
**Do I need to install these security updates in a particular sequence?**
No. Multiple updates for a given system can be applied in any sequence.
Vulnerability Information
-------------------------
.NET XML Validation Security Feature Bypass - CVE-2016-0132
-----------------------------------------------------------
A security feature bypass vulnerability exists in a .NET Framework component that does not properly validate certain elements of a signed XML document. An attacker who successfully exploited the vulnerability could modify the contents of an XML file without invalidating the signature associated with the file. If a .NET application relies on the signature to be non-malicious, the behavior of the application could become unpredictable. In custom applications, the security impact depends on the specific usage scenario.
In a .NET application attack scenario, an attacker could modify the contents of an XML file without invalidating the signature associated with the file. The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.
The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

### Mitigating Factors
Microsoft has not identified any [mitigating factors](https://technet.microsoft.com/library/security/dn848375.aspx) for this vulnerability.
### Workarounds
Microsoft has not identified any [workarounds](https://technet.microsoft.com/library/security/dn848375.aspx) for this vulnerability.
Security Update Deployment
--------------------------
For Security Update Deployment information, see the Microsoft Knowledge Base article referenced [here](#kbarticle) in the Executive Summary.
Acknowledgments
---------------
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See [Acknowledgments](https://technet.microsoft.com/library/security/mt674627.aspx) for more information.
Disclaimer
----------
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
---------
- V1.0 (March 8, 2016): Bulletin published.
- V2.0 (May 10, 2016): Revised bulletin to announce the security updates for Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 have been rereleased to address issues with certain printing scenarios. The rereleases are available via [Windows Update](http://go.microsoft.com/fwlink/?linkid=21130) and the [Microsoft Update Catalog](http://catalog.update.microsoft.com/v7/site/home.aspx). Note that this re-release applies only to LDR (Limited Distribution Release) customers. GDR (General Distribution Release) customers are not affected. For more information about the specific security updates that were re-released, see the Update FAQs section of this bulletin (MS16-035).
- V2.1 (May 18, 2016): Revised bulletin to clarify the distribution audience for the Microsoft .NET Framework 4.5.2 and Microsoft .NET Framework 4.6/4.6.1 security updates that were re-released on May 10, 2016, as follows: The security updates for Microsoft .NET Framework 4.5.2 have been re-released to Limited Distribution Release (LDR) customers only. The security updates for Microsoft .NET Framework 4.6/4.6.1 have been re-released to all customers.
- V2.2 (July 13, 2016): Revised bulletin to inform customers that the 3135996 update has been refreshed. This is an informational notification only. Customers who have already successfully installed the update do not need to take any further action.
- V2.3 (August 11, 2016): Revised bulletin to announce a detection change to correct an offering issue for 3135996. This is a detection change only. There were no changes to the update files. Customers who have already successfully installed the update do not need to take any action.
- V2.4 (August 11, 2016): Clarification to rev note v2.3 - A newer version of update 3135996 was made available to all customers, not only Limited Distribution Release (LDR) customers. Some customers may have not been offered this latest version between 7/13/2016 and 8/11/2016. The last version of update 3135996 released on 8/11/2016 will bring customers to an up to date state.
- V2.5 (October 11, 2016): Revised bulletin to announce the security updates 3135994 and 3135995 for Microsoft .NET Framework 4.5.2 on Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 have been rereleased to the WSUS channel exclusively. This re-release does not apply to Windows Update or Microsoft Update Catalog customers. This re-release addresses an offering issue that prevented certain GDR customers within WSUS environments from receiving these updates if they had enabled the “automatically decline updates when a new revision causes them to expire” feature. There are no changes to the file payload. If customers have already successfully deployed updates 3135994 and 3135995, they do not need to take any action.
- V2.6 (November 8, 2016): Revised bulletin to announce that a detection change was made to account for .NET Framework 4.6.1 hotfix rollup customers who were not being properly offered security updates applicable to .NET Framework 4.6.1.
*Page generated 2016-11-28 12:58-08:00.*